Re: [TLS] Why Edwards? (was Re: TLS process thread)
Nico Williams <nico@cryptonector.com> Tue, 15 April 2014 15:35 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D8F61A06AD for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 08:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRsceAj7KbFk for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 08:35:53 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E48751A0476 for <tls@ietf.org>; Tue, 15 Apr 2014 08:35:51 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id 3C6412007F004 for <tls@ietf.org>; Tue, 15 Apr 2014 08:35:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=Oebrapdl+38vl7rOGymdfUtn+F4=; b=xI7YtqmCZBR 3gnEn8g0SSNC7p2EZ8OCt43j1Aq10F6n7lm7tcwoj4QezXehqjBBMLEWadJWUcnp xCvxFMQ01o7+dZNHgWF0/epOcToGtwgMFQ4yg20hEyB/HV+0d4N5p5weH9dWHT0k d4scl5z+m5iWm8xXzVMk/6sZ9izrkjFI=
Received: from mail-we0-f175.google.com (mail-we0-f175.google.com [74.125.82.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id E58592007F002 for <tls@ietf.org>; Tue, 15 Apr 2014 08:35:48 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id q58so9477182wes.6 for <tls@ietf.org>; Tue, 15 Apr 2014 08:35:47 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.191.133 with SMTP id gy5mr2311521wjc.34.1397576147747; Tue, 15 Apr 2014 08:35:47 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Tue, 15 Apr 2014 08:35:47 -0700 (PDT)
In-Reply-To: <A02DB62F-EABE-4346-AC0D-511330332FA3@vigilsec.com>
References: <CACsn0cn1EBhtvtq4X3J0h1TUq5nGvRyP818oY4rhqfqJA4aELg@mail.gmail.com> <CAK3OfOhCn1h7+wO8PCLK0_+ZRnJ_OxNSCinz_f_Enn3DqUjHDg@mail.gmail.com> <A02DB62F-EABE-4346-AC0D-511330332FA3@vigilsec.com>
Date: Tue, 15 Apr 2014 10:35:47 -0500
Message-ID: <CAK3OfOgum_WMkk9y6PQg08NT54JC-E7ZKNwv3PVX8NTQNgdZLQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7Lr6YWMJYOaqw3jV-ZNW74CuyTo
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Why Edwards? (was Re: TLS process thread)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 15:35:58 -0000
On Tue, Apr 15, 2014 at 8:12 AM, Russ Housley <housley@vigilsec.com> wrote: >> That we have NIST curves code lying around is not a sufficient >> argument: it will either not be constant time or its performance will >> not be anywhere near as good as implementations of comparable Edwards >> curves. The first consideration (no side channels) is unarguably a >> hard requirement; the second (good performance) is close enough to a >> hard requirement that it might as well be. > > If your last paragraph is a response to the postings that I made yesterday, then you are over simplifying my points. It was in response to your post (I should have responded separately, but I also wanted to respond to that generally and in the same place in which I supported Watson's comments). > I am not arguing against the adoption of Edwards curves. However, I am saying that there are many that will need FIPS 140 certification, and we need to accommodate that community as well. This will be important in the way that the curve being used is negotiated. FIPS-140 may be in for some modernization. Nico --
- [TLS] Why Edwards? (was Re: TLS process thread) Watson Ladd
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Russ Housley
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Watson Ladd
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Russ Housley
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Adam Langley
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Nico Williams
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Russ Housley
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Nico Williams
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Russ Housley
- Re: [TLS] Why Edwards? (was Re: TLS process threa… Nico Williams